package com.ibm.ws.security.collaborator;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.AccessIdUtil;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.principals.WSPrincipal;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.ws.security.mp.jwt.proxy.MpJwtHelper;
import com.ibm.ws.security.registry.RegistryException;
import com.ibm.ws.security.registry.UserRegistryService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.security.Principal;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/collaborator/CollaboratorUtils.class */
public class CollaboratorUtils {
    private static final TraceComponent tc = Tr.register(CollaboratorUtils.class, (String) null, (String) null);
    protected SubjectManager subjectManager;
    static final long serialVersionUID = 1544996125297377090L;

    public CollaboratorUtils(SubjectManager subjectManager) {
        this.subjectManager = subjectManager;
    }

    public Principal getCallerPrincipal(boolean z, String str, boolean z2, boolean z3) {
        Principal principalFromWSCredential;
        Subject callerSubject = this.subjectManager.getCallerSubject();
        if (callerSubject == null) {
            return null;
        }
        SubjectHelper subjectHelper = new SubjectHelper();
        if (subjectHelper.isUnauthenticated(callerSubject) && z2) {
            return null;
        }
        if (z3 && (principalFromWSCredential = getPrincipalFromWSCredential(subjectHelper, callerSubject)) != null) {
            return principalFromWSCredential;
        }
        String securityNameFromWSCredential = getSecurityNameFromWSCredential(subjectHelper, callerSubject);
        if (securityNameFromWSCredential == null) {
            return null;
        }
        Principal jsonWebTokenPricipal = MpJwtHelper.getJsonWebTokenPricipal(callerSubject);
        if (jsonWebTokenPricipal != null) {
            return jsonWebTokenPricipal;
        }
        Set<WSPrincipal> principals = callerSubject.getPrincipals(WSPrincipal.class);
        if (principals.size() > 1) {
            multiplePrincipalsError(principals);
        }
        WSPrincipal wSPrincipal = null;
        if (!principals.isEmpty()) {
            String createPrincipalName = createPrincipalName(z, str, securityNameFromWSCredential);
            WSPrincipal next = principals.iterator().next();
            wSPrincipal = new WSPrincipal(createPrincipalName, next.getAccessId(), next.getAuthenticationMethod());
        }
        return wSPrincipal;
    }

    private String createPrincipalName(boolean z, String str, String str2) {
        return (!z || str == null) ? str2 : str + AccessIdUtil.REALM_SEPARATOR + str2;
    }

    private String getSecurityNameFromWSCredential(SubjectHelper subjectHelper, Subject subject) {
        String str = null;
        WSCredential wSCredential = subjectHelper.getWSCredential(subject);
        if (wSCredential != null) {
            try {
                str = wSCredential.getSecurityName();
            } catch (CredentialExpiredException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.collaborator.CollaboratorUtils", "127", this, new Object[]{subjectHelper, subject});
            } catch (CredentialDestroyedException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.collaborator.CollaboratorUtils", "129", this, new Object[]{subjectHelper, subject});
            }
        }
        return str;
    }

    private Principal getPrincipalFromWSCredential(SubjectHelper subjectHelper, Subject subject) {
        Principal principal = null;
        WSCredential wSCredential = subjectHelper.getWSCredential(subject);
        if (wSCredential != null) {
            try {
                principal = (Principal) wSCredential.get("com.ibm.wsspi.security.cred.jaspi.principal");
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.collaborator.CollaboratorUtils", "142", this, new Object[]{subjectHelper, subject});
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Internal error getting JASPIC Principal from credential", new Object[]{e});
                }
            }
        }
        return principal;
    }

    private void multiplePrincipalsError(Set<WSPrincipal> set) {
        String str = null;
        for (WSPrincipal wSPrincipal : set) {
            str = str == null ? wSPrincipal.getName() : str + ", " + wSPrincipal.getName();
        }
        throw new IllegalStateException(Tr.formatMessage(tc, "SEC_TOO_MANY_PRINCIPALS", new Object[]{str}));
    }

    public String getUserRegistryRealm(AtomicServiceReference<SecurityService> atomicServiceReference) {
        String str = "defaultRealm";
        try {
            UserRegistryService userRegistryService = ((SecurityService) atomicServiceReference.getService()).getUserRegistryService();
            if (userRegistryService.isUserRegistryConfigured()) {
                str = userRegistryService.getUserRegistry().getRealm();
            }
        } catch (RegistryException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.collaborator.CollaboratorUtils", "181", this, new Object[]{atomicServiceReference});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "RegistryException while trying to get the realm", new Object[]{e});
            }
        }
        return str;
    }
}
